From 285cfaf0954d4c3e320b205c288240c1828476fe Mon Sep 17 00:00:00 2001 From: "Jay S. Bryant" Date: Thu, 20 Nov 2014 11:06:48 -0600 Subject: [PATCH] context.elevated() should use copy.deepcopy() Currently context.elevated is just doing a copy.copy(self). This needs to be changed to use copy.deepcopy so that the list reference is not shared between objects which leaves the possibility of an admin role leak. This fix changes context.elevated use copy.deepcopy. Change-Id: I349c53ccbe9e02ad2a3e84ae897424db9785a170 Closes-bug: 1386932 --- cinder/context.py | 2 +- cinder/tests/test_context.py | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cinder/context.py b/cinder/context.py index 5a826891f..4942c9f3a 100644 --- a/cinder/context.py +++ b/cinder/context.py @@ -148,7 +148,7 @@ class RequestContext(object): def elevated(self, read_deleted=None, overwrite=False): """Return a version of this context with admin flag set.""" - context = copy.copy(self) + context = self.deepcopy() context.is_admin = True if 'admin' not in context.roles: diff --git a/cinder/tests/test_context.py b/cinder/tests/test_context.py index bcb25859b..4ae9b4b52 100644 --- a/cinder/tests/test_context.py +++ b/cinder/tests/test_context.py @@ -54,6 +54,16 @@ class ContextTestCase(test.TestCase): 'read_deleted', True) + def test_request_context_elevated(self): + user_context = context.RequestContext( + 'fake_user', 'fake_project', admin=False) + self.assertFalse(user_context.is_admin) + admin_context = user_context.elevated() + self.assertFalse(user_context.is_admin) + self.assertTrue(admin_context.is_admin) + self.assertFalse('admin' in user_context.roles) + self.assertTrue('admin' in admin_context.roles) + def test_service_catalog_nova_and_swift(self): service_catalog = [ {u'type': u'compute', u'name': u'nova'}, -- 2.45.2